2014-06-07

In April of 2014, insurers started selling insurance products
that covered physical harm generated by cyber effects
-- Google "cyber insurance" "property damage".
In May of 2014,
Sky News reported that over 42,000 London cars
-- nearly half of the cars stolen in the city of London --
were stolen with hacking.
The networked civilization we are building
is going to need to be able to make
strong promises about the safety of software,
because it won't just be guarding our data security
-- it will be guarding our physical security.
If we're going to be able to make strong promises about
software safety, we're going to need automation
that can investigate software in a
uniform, scalable and effective manner.
We know that expert auditors can't get there
-- IBM/Rational points out that our civilization crossed
1 trillion lines of code in the early 2000's.
Operating systems weigh in above 40 million lines
under constant development.
The problem is too big and it’s moving too fast.
We also know that today's automation is
losing every contest of wits to experts
-- in the wake of Heartbleed,
not a single automation product has come forward to say
that this flaw could have been detected
without expert annotation or intervention.
CGC is open technology development
on the problem of software safety,
a problem seen by the DoD
-- and everyone with a vested interest in our connected future.

. What if a purpose built supercomputer
could scour the billions of lines of code we depend on,
find and fix the toughest flaws,
upend the economics of computer security,
and level the playing field
between attackers and defenders?

. a lot invested in the [stale] attack/defense model
of computer security competition.
I've heard arguments from many players
that the current model of attack/defense CTF
[capture the flag competitions] is "stale".

6.7: my response:
. what is stale is the attack/defense model;
because, the chip firmwares have backdoors;
you need to secure the hardware;
then you can analyze the software;
but, at least with DECREE
they are promoting a microkernel OS
that can guarantee isolation between app's?
(well, the interface is tiny, if not the Trusted Code Base).
. unfortunately what they have in mind
is to use their simple OS only for
easily managing the budding automation competition;
then they plan to evolve the winning buds
for auto-fixing today's software on today OS's.
. but, what can they do for firmware breaches?
. they are trying to show concern about cybercrimewithout actually blocking the backdoors used by NSA .

. the internet is becoming much more important
as vehicles and home appliances get networked
in what will be "the Internet of things" .
.
. the present internet disinfectant is manual:
expert programmers identify attacks
typically only after the attackers have
taken advantage of those weaknesses
to steal data or disrupt processes.
. then experts craft corrective patches and
and distribute those correctives to users everywhere,
which can take months to implement .
. we need to shift to fully automated systems
capable of discovering and neutralizing attacks instantly.
.
. Computer security experts from academia, industry
and the larger security community,
have organized themselves into more than 30 teams
to compete in the Cyber Grand Challenge
-- a first-of-its-kind tournament designed to
speed the development of automated security systems
able to defend against cyberattacks
as fast as they are launched .
. competitors will reverse-engineer software
that is created by challenge organizers
in order to locate and heal its hidden weaknesses
in a live network competition.
.
The seven DARPA-funded Phase 1 competitors are
For All Secure, GrammaTech, Lekkertech,
SIFT, SRI, Trail of Bits,
and the University of California, Berkeley.
. now through Nov. 2, 2014
additional teams may register to participate;
. in June 2015,
a major qualification event is scheduled .
.
. DECREE (DARPA Experimental Cybersecurity
Research Evaluation Environment)
is an open-source Linux extension,
designed by DARPA to provide a safe environment
for the Cyber Grand Challenge .
. it is a platform for operating
small, isolated software test samples
.
. computers that have made it through a series of
qualifying events over the next two years
would compete head-to-head at the
2016 Cyber Grand Challenge final competition,
held in conjunction with DEF CON,
a computer security conferences in Las Vegas in 2016.

# Simplicity: Where any industry OS such as Linux will have
hundreds of OS interface methods (system calls),
DECREE has just seven,
easing the work required to perform automatic identification
of program input and output.
DECREE also has its own executable format
with a single entry point method
to lower the barrier to entry for automation research
( We have just seven system calls with no polymorphism
or ambiguity in the ABI. Our simple binary format
has a single entry point method and no dynamic loader.
DECREE’s "OS tax", the bane of automation research,
is as close to zero as any platform in existence.
)# Incompatibility:The software which runs in DECREE
is custom-built for computer security research.
DECREE programs have their own binary format,
their own system call paradigm
and share no code or protocols with the real world.
For this reason, automation research done in DECREE
is incompatible with the software that runs our world.# High determinism: Reproducibility is a key aspect of a sound scientific design.
While perfect system state replay is impossible without
a full system event recorder,
DECREE has been designed to allow high determinism
and reproducibility given a record of software and inputs.
This reproducibility property has been built into DECREE
from kernel modifications
up through the entire platform stack.openware:DECREE is Open Source and will remain so in perpetuity
as it is an experimentation ecosystem capable of
uniting program analysis research,
Capture-the-Flag competitions,
and other applied research activities.

CGC PoV (proof of vulnerability):
The DARPA Cyber Grand Challenge (CGC) seeks to
improve the state of the art in
automated detection and patching of software flaws.
As part of the CGC,
automated reasoning systems are required to
emit a "proof of vulnerability" (PoV) against flawed software
as a means of demonstrating deep knowledge of
each flaw that is discovered.
A valid PoV describes a sequence of actions
that a verifying application may carry out
in order to reliably recreate the conditions
under which a vulnerable software application
may be demonstrated to contain a flaw.all for ...:

. CGC will be played by automated systems,
and part of their job will be to
process never-before-seen software
and build secure replacements.

-- Unofficial Guide to the World's Most Popular Disassembler
No source code? No problem. With IDA Pro,
the interactive disassembler,
you live in a source code-optional world.
IDA can automatically analyze
the millions of opcodes that make up an executable
and present you with a disassembly.
But at that point, your work is just beginning.
With The IDA Pro Book, you'll learn how to
turn that mountain of mnemonics into
something you can actually use.
Hailed by the creator of IDA Pro as
"profound, comprehensive, and accurate,"
the second edition of The IDA Pro Book
covers everything from the very first steps
to advanced automation techniques.